You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Anders Palm <An...@prevas.dk> on 2008/02/21 16:30:53 UTC

possible bug using authz authorization

Hello

I'm experiencing some issues with the authz module on my apache2 svn
service.

Here's my problem:

ssl-configured apache2 server on windows server
Authentication through SSPDI.

Most users (on a windows domain) are developers/employees, and should
have total rw access to all repositories.

However, some (external) users needs read permission to certain
repositories (and some write permissions too), but definitely not for
all.

I'm also using SVNListParentPath to list my repositories for those users
that has access to all repositories.

My authzSVNAccessFile looks something like this:

[groups]
externals = <list of users>

[/]
* = rw

[repos1:/]
@externals = 

[repos2:/]
@externals =
someUser = rw

etc...

This blacklisting approach works *almost* the way I want it. I have to
remember to add all new repositories to the list to keep people out, but
I can live with that.

But I have a problem with my lists. Because the lists are not part of
the repository (apparently, but shouldn't it be?). As such, they are
readable to any authenticated user. This is a problem, as it could leak
information not supposed to be available to the external users.

I would prefer to do it the other way around (whitelisting) for the
external users, something like this:

[groups]
externals = <list of users>

[/]
* = rw
@externals =

[repos1:/]

[repos2:/]
someUser = rw

etc..

And I would expect every user apart from the externals to have rw
access. But in reality, this is not how it works, apparently it matches
the *-rule, and thus lets all users in.
 To me, it would seem logical that the module reacts to the narrowest
scope. Is this a bug or feature?

I know I could just type in all my users, but that is a rather large
userbase! And I would need to update this file every time a user is
added or removed from the domain.

Help???? :)

Cheers
Anders Palm

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org